New Exploit in Bash

General and Support topics relating to ViciDialNow and GoAutoDial ISO installers

Moderators: enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, s0lid

New Exploit in Bash

Postby Nefariousparity » Thu Sep 25, 2014 5:11 pm

Basically it is a code injection attack. Where through apache someone could potentially run commands on your system by having the service issue commands to command line via bash. It has been a bug in bash for 25 years. The quick and simple test is first anything 4.3 and below.

you can do "#>bash --version" to find version

Test Code is

env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"

If it echos back busted stuff you are vulnerable.

http://www.troyhunt.com/2014/09/everyth ... about.html
|| DB Schema Version: 1609 || Asterisk 11.25.1-vici || BUILD: 190902-0839 ||VERSION: 2.14-718a||SVN: 3133||10xTelephony||1x Database||1x Slave||1x Web||1x Archive||ViciBox v.8.0.1
Nefariousparity
 
Posts: 327
Joined: Wed Sep 12, 2012 7:01 pm

Re: New Exploit in Bash

Postby williamconley » Fri Sep 26, 2014 2:52 am

Um ... it only exploits if YOU have the system running bash commands and YOU have set that bash command sequence to use ENV variables to hold data that you accepted over the web. Doesn't seem like a particularly good idea on the face of it, and I'm not surprised at all that anyone doing this would get caught with their pants down. But it's not related to Vicidial in any way (in any distro, anywhere, ever), as far as I can tell from the documentation.

Additionally, if you've whitelisted your system (as you should), none of these attackers will have the opportunity to even test your system for the vulnerability. This is why we published Dynamic Good Guys a few years back. Whitelist is the way to go for a server that does not need to be public in the first place.

PS: CGI? Who uses that these days anyway? 8-)
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20253
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: New Exploit in Bash

Postby geoff3dmg » Fri Sep 26, 2014 3:06 am

CGI can be vulnerable because /bin/sh -> /bin/bash. I checked my Vicibox machines yesterday and they were vulnerable. SUSE were timely with patches though so they've been updated. I agree with Willam though, you shouldn't let every tom, dick and harry access your ViciDIAL. Defence in depth is a thing.
Vicibox 5.03 from .iso | VERSION: 2.10-451a BUILD: 140902-0816 | Asterisk 1.8.28.2-vici | Multi-Server | Amfeltec H/W Timing Cards | No Extra Software After Installation | Dell PowerEdge 1850 | Pentium 4 'Prescott' Xenon Quad @ 3.40GHz
geoff3dmg
 
Posts: 403
Joined: Tue Jan 29, 2013 4:35 am
Location: Lancashire, UK

Re: New Exploit in Bash

Postby williamconley » Fri Sep 26, 2014 3:31 am

We don't use CGI. CGI being vulnerable means diddley to us. If they decide php is vulnerable, that's a different story. On a funny note, an old client box running Ubuntu is NOT vulnerable. But everything SuSE is. LOL
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20253
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: New Exploit in Bash

Postby DomeDan » Fri Sep 26, 2014 4:37 am

Either way, its a serious vulnerability and it might be exploited through php, asterisk, ssh or any other service on the server
so it should be fixed at the source and not just rely on the whitelist.

Thank you Nefariousparity for posting this! :)
Vicidial Partner. Region: Sweden/Norway.
Does Vicidial installation, configuration, customization, add-ons, CRM implementation, support, upgrading, network-related, pentesting etc. Remote and onsite assistance.
Email: domedan (at) gmail.com
DomeDan
 
Posts: 1226
Joined: Tue Jan 04, 2011 9:17 am
Location: Sweden

Re: New Exploit in Bash

Postby williamconley » Fri Sep 26, 2014 2:24 pm

DomeDan wrote:Either way, its a serious vulnerability and it might be exploited through php, asterisk, ssh or any other service on the server
so it should be fixed at the source and not just rely on the whitelist.

Thank you Nefariousparity for posting this! :)

Um ... no. It won't be exploited through any process that does not utilize ENV variables in bash. PHP and asterisk do not do this. And anyone who has ssh access to your server already has bash and has no need of this exploit. And in all cases if you have whitelisted your system, the attacker has no access to exploit anything until they find an exploit that will crack IPTABLES from the outside.

This may be a far-reaching vulnerability, but it still has limited scope. The systems affected are major, but they're NOT Vicidial.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20253
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: New Exploit in Bash

Postby gardo » Thu Oct 02, 2014 11:46 pm

Running "yum update" should fix this vulnerability on GOautodial CE. 8)
http://goautodial.com
Empowering the next generation contact centers
gardo
 
Posts: 1926
Joined: Fri Sep 15, 2006 10:24 am
Location: Manila, 1004

Re: New Exploit in Bash

Postby williamconley » Thu Oct 02, 2014 11:54 pm

We've found on most machines on all OSs (still supported ...) that just updating bash solves the problem in 30 seconds.

for instance in Vicibox:
Code: Select all
env var='() { ignore this;}; echo vulnerable' bash -c /bin/true
zypper --non-interactive up bash
env var='() { ignore this;}; echo vulnerable' bash -c /bin/true
If you see "vulnerable" the first time, the second run after the update should not show it again.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20253
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: New Exploit in Bash

Postby Nefariousparity » Wed Oct 08, 2014 4:26 pm

Wow, sorry guys I forgot I posted this in the hasty call center environments I work in! Great extra knowledge!. All of my rigs, do use the dynamic good guys whitelist. And anyone outside the office(S) I have setup OPENvpn for them.

Excuse my posting diarrhea if I just posted a possible exploit and ran off without saying anything! You guys have definitely seemed to clear this up.
As a huge fan of ViciBOX and GoAuto, and the glorious community here. I thought I finally had something to contribute instead of ask for help!
|| DB Schema Version: 1609 || Asterisk 11.25.1-vici || BUILD: 190902-0839 ||VERSION: 2.14-718a||SVN: 3133||10xTelephony||1x Database||1x Slave||1x Web||1x Archive||ViciBox v.8.0.1
Nefariousparity
 
Posts: 327
Joined: Wed Sep 12, 2012 7:01 pm


Return to ViciDialNow - GoAutoDial

Who is online

Users browsing this forum: No registered users and 68 guests